The federal Children's Online Privacy Protection Act establishes certain requirements relating to the collection, use and disclosure of the personal information of children on the Internet. (15 U.S.C. §§ 6501 et seq.) Existing federal regulations adopted pursuant to that Act require certain operators of Internet websites to: (1) establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children; and (2) obtain verifiable parental consent before the operator collects, uses or discloses any personal information of a child. (16 C.F.R. §§ 312.5, 312.8) Sections 24-35 of this bill enact certain additional requirements relating to the collection and processing of personal data collected from children on the Internet by controllers. Section 27 defines “controller” to mean any person who: (1) operates or provides any online service, product or feature targeted to persons in this State; and (2) determines the purpose and means of processing personal data. Sections 25-26 and 28-31.9 define certain other terms, and section 24 establishes the applicability of those definitions to sections 24-35. Section 32 exempts certain entities, types of data and activities from the requirements of sections 24-35.
Section 32.5 requires a controller that is in possession of de-identified data to take certain actions with respect to such data, including committing to not re-identify such data and contractually obligating any person to which the controller provides such data to comply with the requirements of section 32.5.
Section 33 requires a controller to, before processing personal data from a known child or collecting the precise geolocation data of such a child, obtain verifiable consent from the parent or legal guardian of the child in accordance with the federal Children's Online Privacy Protection Act. Section 33 prohibits a controller from processing the personal data of a known child for the purposes of: (1) providing targeted advertising to the child; (2) the sale of the personal data of the child; or (3) profiling the child for certain purposes. Section 33 additionally prohibits a controller from processing the personal data or collecting the precise geolocation data of a known child unless such processing or collection, as applicable, is reasonably necessary and limited in duration to enable the controller to provide the online service, product or feature. Section 33 further requires a controller that collects the precise geolocation data of a known child to, during all times that the controller is collecting such data, provide an indication to the child that such collection is occurring. Finally, section 33 requires a controller, if the controller seeks to collect the personal data of a known child with the intent to further process such data, to disclose to the child the purposes of such additional processing. Section 33 prohibits a controller from further processing such data for a purpose other than the purpose disclosed to the child, unless that purpose is necessary for carrying out and compatible with the purpose disclosed to the child.
Section 34 requires a controller that offers any online service, product or feature that is directed at children to conduct and retain a data protection assessment for each processing activity in which the controller engages. Section 34 also requires, in certain circumstances, a controller to provide a data protection assessment prepared by the controller to the Attorney General. Sections 34 and 36 of this bill provide for the confidentiality of the information contained within a data protection assessment that is provided to the Attorney General. Section 34 also provides that, by disclosing to the Attorney General or the Office of the Attorney General a data protection assessment as required by section 34, a controller does not waive certain evidentiary privileges that would otherwise be applicable to the information contained within the data protection assessment.
Existing law provides that a variety of actions constitute deceptive trade practices. (NRS 100.180, 111.2397, 118A.275, 202.24935, 205.377, 226.600, 228.620, 370.695, 597.7642, 597.818, 597.997, 603.170, 603A.260, 603A.550, 604B.910, 676A.770; chapter 598 of NRS) Existing law authorizes a court or the Director of the Department of Business and Industry to impose a civil penalty of not more than $25,000 for each violation upon a person who has engaged in a deceptive trade practice directed toward a minor. (NRS 598.09735) In addition, existing law provides that when the Commissioner of Consumer Affairs or the Director has cause to believe that a person has engaged or is engaging in any deceptive trade practice, the Commissioner or Director may request that the Attorney General represent him or her in instituting an appropriate legal proceeding, including an application for an injunction or temporary restraining order. (NRS 598.0979) Existing law requires a person who violates a court order or injunction resulting from a complaint brought by the Commissioner, the Director, the district attorney of any county of this State or the Attorney General to pay a civil penalty of not more than $10,000 for each violation. Furthermore, if a court finds that a person has willfully engaged in a deceptive trade practice, the person who committed the violation: (1) may be required to pay an additional civil penalty not more than $15,000 for each violation; and (2) is guilty of a felony or misdemeanor, depending on the value of the property or services lost as a result of the deceptive trade practice. (NRS 598.0999) Section 35 requires the Attorney General, upon determining that a controller has violated or is violating any provision of sections 24-35, to provide the controller written notice of the alleged violation. Section 35 makes it a deceptive trade practice for a controller to fail to remedy a violation of sections 24-35 within 30 days after receiving written notice of the violation from the Attorney General. Section 35 grants the Attorney General the exclusive authority to enforce the requirements of sections 24-35 and further provides that those sections do not create a private right of action.
Statutes affected: Reprint 1: 239.010
Reprint 2: 239.010
As Enrolled: 239.010